Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Infiltrate and 'Pollute' Storm Botnet

Posted by CmdrTaco on from the i'm-infiltrating-see-yeah dept.

ancientribe writes "Dark Reading reports that a group of European researchers has found a way to disrupt the massive Storm botnet by infiltrating it and injecting "polluted" content into it to disrupt communication among the bots and their controlling hosts. Other researchers have historically shied way from this controversial method because they don't "want to mess with other peoples' PCs by injecting commands," said one botnet expert quoted in the article.

15 of 261 comments (clear)

  1. Add free article. by AltGrendel · · Score: 2, Informative

    Add free article here.

    --
    The simple truth is that interstellar distances will not fit into the human imagination

    - Douglas Adams

  2. Re:It's not Really... by peachstealingmonkeys · · Score: 2, Informative

    Even though I agree with you on the second half of the comment I still think you are spreading FUD with the first part.. 1) "Researchers" don't "just" send the polluted hashes to the bots in hopes of it to disrupt communications. 2) They aren't "fuzzing" the bots looking for a vulnerability, that will disrupt a command channel and possibly crash a bot completely. That would be extremely irresponsible. 3) "Researchers" analyze the bot software localy in order to determine the correct hash strings to figure out the way to disrupt communication 4) obviously the 'attackers' can introduce a back process in to their bot software that would destroy the bot image and OS completely if such control channel disruption is detected, however it's pointless since the bot is out of the commission anyway.

  3. Re:It's not Really... by cromar · · Score: 5, Informative
    Sure, in general that is a valid concern. However,

    The pollution attack... "overwrites" the P2P botnet's key, an identifier that's used to get command information to the bots. Storm generates keys to find other bots, the researchers noted. So there really isn't a risk, in this case, of executing maleficent code or overwriting large portions of anything. The Storm operators might modify the peers to self-destruct the host or something, though I doubt they will given that Storm needs the host to be at all useful.
  4. Re:Who is liable in the event of retaliation? by drrck · · Score: 5, Informative

    TFA states that they are changing the hash values that the bots use to talk to one another. They aren't issuing commands, they're interrupting the communication of the bots.

  5. Re:It's not Really... by kaiser423 · · Score: 5, Informative

    If you RTFA, they are not sending any commands to the end computer. They are just disrupting communications between the nodes.

    Effectively, fracturing the net into multiple pieces; not taking control o the computers and doing something.

    This is not a counter-attack to the infection or anything like that. They're just jamming the comm system that the bots use. They're not actively doing anything to the bot or computer.

  6. Actually Reading the Article by Kiralan · · Score: 4, Informative

    To the ones worried about the ethics, at least in this case: What the researchers did, in a sense, is change the 'name' and/or 'password' the bot uses to call the bot master and authenticate itself. In short, they removed the ability of the 'bot to get more commands.

    --
    V for Vendetta: People should not be afraid of their governments. Governments should be afraid of their people.
  7. Re:Public Key Cryptography and Message Signing. by Uncle+Focker · · Score: 3, Informative

    2) The bots themselves will use encryption to communicate amongst themselves They already do that now. That's one of the major issues with tracking down the whole extent of the botnet.
  8. Re:Public Key Cryptography and Message Signing. by Captain+Spam · · Score: 2, Informative

    Actually, if I'm not mistaken, TFA claims that the researchers are using those exact vectors to do their counterattacks. As in, they mess with the encryption key so that any data that comes in from the controllers or other bots will be reported as bogus due to the controller/bot keys not matching. This, in a large way, renders the bot harmless, as it will now ignore all orders, expecting something signed by a key that will never arrive.

    It's honestly a clever way to pull it off, though it does open the door to a malicious someone planting a legitimate key to someone else's commands, assuming it's as easy as the researchers seem to indicate to plant a bogus one. Or re-attacking the machine to put a Storm key back in.

    --
    Demanding constant attention will only lead to attention.
  9. Re:It's not Really... by Toandeaf · · Score: 2, Informative

    Mod points are not supposed to be used as "I agree".

  10. Re:It's not Really... by flibuste · · Score: 1, Informative

    Since your ./ ID is over the million, you must be new here and, in a grand welcoming gesture of mine, I will share this Slashdot secret with you. RTFA=Read The Fucking Article.

  11. Re:It's not Really... by Hadlock · · Score: 2, Informative

    In many states you can be sued for improperly providing CPR. In fact, it happens quite a lot.

    --
    moox. for a new generation.
  12. Re:It's not Really... by PRMan · · Score: 4, Informative

    Actually, the paper presented at the conference

    http://www.usenix.org/event/leet08/tech/full_papers/holz/holz_html/

    mentions that the fracturing attack does not work. The Storm botnet currently only 2 things.

    1. It sends spam e-mails if it receives a file in a spam template format with another file containing a list of addresses.

    2. It commits a denial-of-service attack against a host if it receives a different templated file.

    What the researchers are proposing is to become a sender and to send out floods of blank files faster than the actual operators can send out their real files. As a result, the hosts are too busy downloading the 2200 phony files to get around to the 1 real one.

    The time it takes for all the network nodes to get around to the real file eliminates the power of the botnet, reducing its effectiveness to that of a few machines even if it contains tens of thousands.

    --
    Peter predicted that you would "deliberately forget" creation 2000 years ago...
  13. Re:It's not Really... by ruin20 · · Score: 2, Informative

    No, they're changing the key. Essentially you're decoupling the node. Everything is there, it's just the password for that particular node of the botnet is reset. That doesn't change the fact that the ability to execute malicious code is still there and if anyone tracked the keys that were used to overwrite that of the botnets, they could set up their own network.

    --
    Oh honey look... How cute... an angry slashdotter!
  14. Re:It's not Really... by geekboy642 · · Score: 5, Informative

    You can be sued for anything. Being sued for something doesn't mean that act is: illegal, immoral, unethical, or mean.

    That said, many many jurisdictions in the United States have a so-called "Good Samaritan" law. This is a law that protects you from criminal charges and--depending on the state--lawsuits. For instance, the law in Texas is quite broad and protects anyone who acts in good faith from any civil damages. On the other hand, California's law is much more strict, and protects only licensed EMTs, Doctors, Nurses, etc. at the actual scene of an emergency.

    Know the law in your state! http://www.cprinstructor.com/legal.htm

    --
    Just another "DOJ fascist authoritarian totalitarian bootlicker" -- Zeio
  15. Re:It's not Really... by Actually,+I+do+RTFA · · Score: 2, Informative

    How do you propose to stop stupid users from manually opening malware, just by giving them a new OS?

    By making data clearly different from executables? I mean, how about "The attachment you are trying to open is NOT a movie/picture/sound/etc. It is a program that has unlimited access to your machine."

    --
    Your ad here. Ask me how!